PoC: remove sse, remove server auth, use better-auth for server auth examples, update faq

Author: KKonstantinov

.gitignore

@@ -133,3 +133,4 @@ dist/
 
 # IDE
 .idea/
+.cursor/

docs/faq.md

@@ -65,6 +65,14 @@ For production use, you can either:
 
 The SDK ships several runnable server examples under `examples/server/src`. Start from the server examples index in [`examples/server/README.md`](../examples/server/README.md) and the entry-point quick start in the root [`README.md`](../README.md).
 
+### Why did we remove `server` auth exports?
+
+Server authentication & authorization is outside of the scope of the SDK, and the recommendation is to use packages that focus on this area specifically (or a full-fledged Authorization Server for those who use such). Example packages provide an example with `better-auth`.
+
+### Why did we remove `server` SSE transport?
+
+The SSE transport has been deprecated for a long time, and `v2` will not support it on the server side any more. Client side will keep supporting it in order to be able to connect to legacy SSE servers via the `v2` SDK, but serving SSE from `v2` will not be possible. Servers wanting to switch to `v2` and using SSE should migrate to Streamable HTTP.
+
 ## v1 (legacy)
 
 ### Where do v1 documentation and v1-specific fixes live?

examples/server/package.json

@@ -35,13 +35,14 @@
     },
     "dependencies": {
         "@hono/node-server": "catalog:runtimeServerOnly",
-        "hono": "catalog:runtimeServerOnly",
         "@modelcontextprotocol/examples-shared": "workspace:^",
         "@modelcontextprotocol/server": "workspace:^",
         "@modelcontextprotocol/server-express": "workspace:^",
         "@modelcontextprotocol/server-hono": "workspace:^",
+        "better-auth": "^1.4.7",
         "cors": "catalog:runtimeServerOnly",
         "express": "catalog:runtimeServerOnly",
+        "hono": "catalog:runtimeServerOnly",
         "zod": "catalog:runtimeShared"
     },
     "devDependencies": {

examples/server/src/elicitationUrlExample.ts

@@ -9,17 +9,20 @@
 
 import { randomUUID } from 'node:crypto';
 
-import { setupAuthServer } from '@modelcontextprotocol/examples-shared';
-import type { CallToolResult, ElicitRequestURLParams, ElicitResult, OAuthMetadata } from '@modelcontextprotocol/server';
 import {
-    checkResourceAllowed,
     getOAuthProtectedResourceMetadataUrl,
+    mcpAuthMetadataRouter,
+    requireBearerAuth,
+    setupAuthServer
+} from '@modelcontextprotocol/examples-shared';
+import type { CallToolResult, ElicitRequestURLParams, ElicitResult, OAuthMetadata } from '@modelcontextprotocol/server';
+import {
     isInitializeRequest,
     McpServer,
     NodeStreamableHTTPServerTransport,
     UrlElicitationRequiredError
 } from '@modelcontextprotocol/server';
-import { createMcpExpressApp, mcpAuthMetadataRouter, requireBearerAuth } from '@modelcontextprotocol/server-express';
+import { createMcpExpressApp } from '@modelcontextprotocol/server-express';
 import cors from 'cors';
 import type { Request, Response } from 'express';
 import express from 'express';
@@ -238,47 +241,6 @@ const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
 const oauthMetadata: OAuthMetadata = setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: true });
 
-const tokenVerifier = {
-    verifyAccessToken: async (token: string) => {
-        const endpoint = oauthMetadata.introspection_endpoint;
-
-        if (!endpoint) {
-            throw new Error('No token verification endpoint available in metadata');
-        }
-
-        const response = await fetch(endpoint, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded'
-            },
-            body: new URLSearchParams({
-                token: token
-            }).toString()
-        });
-
-        if (!response.ok) {
-            const text = await response.text().catch(() => null);
-            throw new Error(`Invalid or expired token: ${text}`);
-        }
-
-        const data = (await response.json()) as { aud: string; client_id: string; scope: string; exp: number };
-
-        if (!data.aud) {
-            throw new Error(`Resource Indicator (RFC8707) missing`);
-        }
-        if (!checkResourceAllowed({ requestedResource: data.aud, configuredResource: mcpServerUrl })) {
-            throw new Error(`Expected resource indicator ${mcpServerUrl}, got: ${data.aud}`);
-        }
-
-        // Convert the response to AuthInfo format
-        return {
-            token,
-            clientId: data.client_id,
-            scopes: data.scope ? data.scope.split(' ') : [],
-            expiresAt: data.exp
-        };
-    }
-};
 // Add metadata routes to the main MCP server
 app.use(
     mcpAuthMetadataRouter({
@@ -290,9 +252,10 @@ app.use(
 );
 
 authMiddleware = requireBearerAuth({
-    verifier: tokenVerifier,
     requiredScopes: [],
-    resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(mcpServerUrl)
+    resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(mcpServerUrl),
+    strictResource: true,
+    expectedResource: mcpServerUrl
 });
 
 /**

examples/server/src/honoWebStandardStreamableHttp.ts

@@ -10,7 +10,6 @@
 import { serve } from '@hono/node-server';
 import type { CallToolResult } from '@modelcontextprotocol/server';
 import { McpServer, WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/server';
-import { mcpStreamableHttpHandler } from '@modelcontextprotocol/server-hono';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import * as z from 'zod/v4';
@@ -57,7 +56,7 @@ app.use(
 app.get('/health', c => c.json({ status: 'ok' }));
 
 // MCP endpoint
-app.all('/mcp', mcpStreamableHttpHandler(transport));
+app.all('/mcp', c => transport.handleRequest(c.req.raw));
 
 // Start the server
 const PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;